Cracking the case: ‘DOMEX’ system is tool used to analyze crime

(Compiler's note: A must read as the gov't readies for possible budget cuts from the new administration.)

BY MIKE FAHER

When Baltimore authorities seized computers connected to a multimillion-dollar Internet pharmacy operation in late 2006, they turned to Johnstown for help.

Specialists at the National Drug Intelligence Center analyzed large amounts of electronic information, providing crucial evidence that led to two convictions in Maryland’s largest-ever pharmaceutical-trafficking case.

“I just cannot say enough about what they did with these computers,” said Andrea Smith, an assistant U.S. attorney in Baltimore.

That same process has been repeated more than 700 times since 1993: NDIC analysts dissect computers, cell phones and other electronic devices – along with mountains of documents – to support federal criminal cases.

They’ve developed their own software to speed up the process and have quietly assisted in major probes, including the large-scale investigation of the 9/11 terrorist attacks.

At an agency that often is accused of being wasteful and duplicative, NDIC’s Document and Media Exploitation Branch – called DOMEX – is a little-known function that has had a significant impact across the nation and around the world, NDIC officials said.

“Nobody else does what we do,” said Harry Kuerner, DOMEX branch chief.

NDIC officials acknowledge that what they call “document exploitation” is nothing new: Analyzing information and evidence is a vital part of any criminal case.

But the difference in their work, they say, is speed and clarity.

A law-enforcement agency may have limited resources and time to examine large amounts of evidence, particularly data buried deep in a computer system.

But when a federal agency asks NDIC for help, a DOMEX team – usually made up of 18 to 23 people – forms and quickly establishes “priority intelligence requirements” – the slivers of information to look for when sifting through an evidentiary hay stack.

Examples include assets and associates of a suspect, financial transactions, phone numbers and “references to a specific crime in notes, e-mails or other communications,” officials said.

DOMEX staff can deploy anywhere, and most foreign-language missions are conducted at a satellite facility called the Utah National Guard/Joint Language Training Center near Salt Lake City.

But in most cases, evidence is shipped directly to Johnstown. A DOMEX team – assisted by specialists working in the NDIC’s Digital Evidence Laboratory – then sifts through that information, coming up with a concise report in an average of two weeks’ time.

That report ensures that evidence is linked to a specific document that was in a suspect’s possession.

Baltimore’s Internet-pharmacy case, for example, involved “overwhelming” amounts of information, Smith said.

But NDIC analysts showed that, of 36 doctors writing prescriptions for the painkiller hydrocodone through a targeted pharmacy called NewCare, 11 of those physicians accounted for more than 98 percent of those prescriptions.

The analysis also found that hydrocodone accounted for about 88 percent of the prescriptions filled by NewCare – for a total of 9.9 million doses.

“It was so compelling,” Smith said.

“You can’t argue against numbers like that.”

She added that the data was “mined from the defendants’ own computers, so they couldn’t say they didn’t know.”

Specialized software

Early on, officials say, NDIC analysts used “whatever tool they could” to compile evidence in Microsoft Word documents for presentation to investigators.

But times have changed: Highly specialized software developed in Johnstown now helps NDIC staff sort and prioritize evidence.

One program is called RAID, short for Real-time Analytical Intelligence Database. It is an organizational tool that allows management of “large quantities of data,” with links between related pieces of information – a suspect’s associates, for example, along with his addresses and travel destinations.

RAID’s reach has extended far beyond Johnstown.

NDIC makes the software available free to law enforcement and intelligence agencies. Last year, the center provided RAID installation and training in the West African countries of Ghana and Togo; conducted a seminar employing RAID in Uganda, East Africa; and finished development of a new, Spanish-language version of the program.

Another important tool – also developed at NDIC – is dubbed “HashKeeper.”

It allows analysts to put aside all commercial software files on a computer and focus solely on files that a user has created or altered. In other words, HashKeeper ignores a Microsoft Word program and zeroes in on Word documents a suspect created.

“This can reduce the amount of time required to analyze computers by up to 60 percent,” an NDIC official said in a recent briefing.

Like RAID, HashKeeper also has found a wider audience: In June 2007, officials announced that the Department of Defense was using the program in Iraq.

Analyzing evidence

But even with help from high-tech tools, NDIC administrators say, it’s the people – or in this case, the analysts – who make the difference.

Those analysts, with various areas of expertise, have to know what they’re looking for, how to find it and how to interpret what they find.

The work is complicated and can be intense, with information the DOMEX team uncovers sometimes used by investigators to seize more evidence or make an arrest.

“We’re getting something out to the field that they can use now – not six months or a year from now,” said Steve Gironda, NDIC’s Digital Evidence Laboratory supervisor.

While most missions are drug-related, DOMEX staff members are trained to handle all kinds of cases: They have helped with investigations involving terrorism, child abduction, weapons trafficking and organized crime.

“It pretty much works on anything,” Kuerner said. “White-collar crime, public corruption – anything that we’ve been asked to do, we’ve been able to do.”

Often, no matter what the alleged crime, NDIC experts are looking at the same types of devices. Paper evidence remains important, but more and more information is in electronic form:

• Cell phones, with their increasing complexity and capacity, can be virtual gold mines for analysts who are looking for phone numbers, addresses, pictures, etc.

“There’s no much information on a cell phone right now that never leaves it,” Gironda said, while adding that examining phones can be a complicated endeavor.

Three identically branded cell phones, for example, may be connected to three different service providers.

“All three of them, you have to attack a different way because they have different operating systems,” Gironda said.

• Computer-based instant messaging “gets the bad guys into more trouble than you might think,” Gironda said.

• Even video-game systems can play an important role, since many have hard drives and Internet connectivity.

Such systems “are used for nefarious activities because criminals believe those items will be overlooked by law enforcement because they are gaming machines,” NDIC spokesman Charles Miller said.

Getting results

With the average mission involving six computers and two phones, DOMEX staff members are not prone to overlooking anything.

“If we know what to look for – and our people are very good at this – we can provide a very good report,” said Bill Scott, a DOMEX team leader.

Last month, officials announced sentencings in the long-running Baltimore hydrocodone case: Two pharmacists will serve five years in prison, and each was ordered to pay nearly $11.9 million.

Forfeited to the government were houses, a business, seven cars and money in 33 bank accounts. The probe involved several federal agencies and numerous law-enforcement entities.

But Smith credits Paul Short, a DOMEX supervisor, with testifying in court on three occasions and helping to slam the door shut on the defendants.

“No one can hold a candle to (NDIC),” she said. “This was just amazing.”

Though they labor in relative anonymity in a former Johnstown department store, Short and his NDIC colleagues understand the potential impact of their work.

“This isn’t the guy selling crack on the street corner,” Short said. “These are guys who are dealing with tons and tons of drugs.”